May 18, 2017

The U.S. Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) has issued a Risk Alert in the wake of the widespread WannaCry ransomware attack that has inflicted hundreds of thousands of users since last week.

The OCIE stated that the Risk Alertwas intended to highlight "the importance of conducting penetration tests and vulnerability scans on critical systems and implementing system upgrades on a timely basis."Specifically, the Risk Alert recommends that broker-dealers and investment management firms review the U.S. Computer Emergency Readiness Team’s Alert TA17-132A"Indicators Associated With WannaCry Ransomware" and evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.

The Risk Alert also discussed a recent survey of 75 SEC registered broker-dealers, investment advisers, and investment companies conducted by OCIE's National Examination Program staff. The survey assessed the entities' cybersecurity preparedness, finding "a wide range of information security practices, procedures, and controls across registrants that may be tailored to the firms' operations, lines of business, risk profile and size." Specifically, the survey found:

26 percent of advisers and 5 percent of broker-dealers did not conduct periodic risk assessments of critical systems to identify cybersecurity threats and vulnerabilities;

57 percent of investment management firms and 5 percent of broker-dealers did not conduct penetration testing; and

10 percent of broker-dealers and 4 percent of investment management firms had a significant number of critical and high-risk security patches that were not properly updated (editorial note: this is the type of cyber hygiene failure that led to the WannaCry ransomware attack of last week).

OCIE also reiterated its April 2015 Cybersecurity Guidancein which it recommended that investment companies and advisers take the following actions:

Conduct a periodic assessment of:

the nature, sensitivity, and location of information that the firm collects, processes and/or stores, and the technology systems it uses;

internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;

security controls and processes currently in place;

the impact should the information or technological systems become compromised; and

the effectiveness of the governance structure for the management of cybersecurity risk. An effective assessment would assist in identifying potential cybersecurity threats and vulnerabilities so as to better prioritize and mitigate risk.

Create a strategy that is designed to prevent, detect, and respond to cybersecurity threats. Such a strategy could include:

protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;

data backup and retrieval; and

the development of an incident response plan. Routine testing of strategies could also enhance the effectiveness of any strategy.

Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect, and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cybersecurity threats concerning their accounts.

The OCIE's Risk Alert once again highlights the importance of cybersecurity preparedness in this field. The Risk Alert comes only weeks after the Colorado Division of Securities published proposed rules directed at establishing cybersecurity requirements for broker-dealers and investment advisers. The Colorado Division of Securities conducted a public hearing on the proposed rules on May 2, 2017, and received comments on May 9, 2017. The final rules are expected to be published in June.

Members of Ballard Spahr's Privacy and Data Security Group provide a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors and help clients around the world mitigate cyber risk, investigate and respond to cyber incidents, and navigate post-incident enforcement, compliance, and litigation risk. We regularly advise clients on the development and review of risk-based information security programs, including risk assessments and incident response planning.

Attorneys in our Securities Enforcement and Corporate Governance Litigation Group represent clients in investigations, regulatory proceedings, and litigation involving the SEC, state attorneys general, and state securities regulators.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.